2.6.38-stable review patch. If anyone has any objections, please let us know.

------------------From: Vasiliy Kulikov <segoon@openwall.com>

commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.

Structures ipt_replace, compat_ipt_replace, and xt_get_revision arecopied from userspace. Fields of these structs that arezero-terminated strings are not checked. When they are used as argumentto a format string containing "%s" in request_module(), some sensitiveinformation is leaked to userspace via argument of spawned modprobeprocess.

The first bug was introduced before the git epoch; the second isintroduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by6b7d31fc (v2.6.15-rc1). To trigger the bug one should haveCAP_NET_ADMIN.